i had been working of a web app and security of that web app is handed to someone. but when testing part come i wanna be ready. so i wanted to know. where to start and where to be guru of it coz i can see if the security of that web app is foolproof or not.
thank u folks for such wonderful feedback. actually i wanna learn it myself rather than to hand over to another person/outsource because i wanna upgrade my skills in web so i thought why not "web security"
Aleksejs, I think you are correct!
That's http://www.owasp.org - (The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.
I think you meant www.owasp.org (~;
http://www.owas.org is an excellent resource for web application security.
There are a lot of tools both open source and commercial that will allow you test the security of a web application, however it is a must that you understand what those tools are doing to understand the results.
Check out a project from google for learning web application security over here -> http://google-gruyere.appspot.com/
Sure you could do this doublecheck yourself, but I would recommend outsourcing that task to a vendor who can perform the web application security testing, give you a report, and maybe assist with remediation. If you want to make a go of it yourself, take a look at this list of potential software products that you can pick from:
I was going to say Qualys before I saw it was on this list, but the truth is you have a lot of options from Apache mod_security (see modsecurity.org) to simply getting on your coders to use more secure coding techniques.
Microsoft has a pretty good writeup for ASP .NET and web app security.
To study up further on this topic, checkout the Open Web Application Security Project (see owasp.org), and the Web Application Security Consortium (see webappsec.org). Curious to see more posts from you describing what you've learned. Thanks!
Now that is a heck of a question!
In order to be a "guru" of web security, you will need "experience" building up towards becoming that "guru".
Web security and ethical hacking/penetration testing is not something you can fully understand after reading 1 or 2 pdfs or etc.
Go check out penetration testing techniques and the like. There are the top few ways to securing your code on the web, these include XSS and SQL Injections mainly. Most of the time the rest is quite strongly based around the site's environment it lives on.
Ah, finally someone stood up and answered my post. thanks man!